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(54) Undeniable digital signature scheme based on quadratic field 



(57) An efficient undeniable digital signature 
scheme based on a quadratic field is disclosed Public 
keys (D, P, k, t) and secret keys (D1, q) are defined by 
generating two primes p, q (p, q > 4, p = 3 mod 4 f Vp/3 
< q), computing D1 = -p and D = D1q 2 , obtaining a bit 
length k of VfDlj /4 and a bit length t of q-(D1/q) where 
(D1/q) denotes Kronecker symbol, and generating a 
kernel element P of a map from a class group CI(D) to 
a class group CI(DI). Then the signature verification is 
realized by first checking whether a norm N(S) of the 
signature S is smaller than k bits or not, and judging that 
the signature S is illegal when the norm N(S) is larger 
than k bits, or generating a challenge C when the norm 
N(S) is not larger than k bits, by computing the message 



ideal M of the message m, generating a random integer 
r smaller than t bits, computing H = (M/S) r , generating 
a random ideal B whose norm is smaller than k-1 bits, 
and computing the challenge C = BH, at a verifier side; 
then computing a response W by mapping the challenge 
C to the class group CI(D 1 ) and pulling the mapped chal- 
lenge C back to the class group CI(D) and squaring a 
result of mapping and pulling back, using the secret keys 
(D1, q), at the signer side; and then checking whether 
W = B 2 holds or not, and judging that the signature S is 
legal when W = B 2 holds or that the signature S is illegal 
otherwise, at the verifier side. 
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Description 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

[0001] The present invention relates to an undeniable 
digital signature scheme which is a type of digital signa- 
ture that can protect a privacy of a signer. 

DESCRIPTION OF THE BACKGROUND ART 

[0002] In electronic communications, the digital sig- 
nature technology is effective in checking the validity of 
data. The most widely used digital signature is the RSA 
signature that utilizes modular exponentiation calcula- 
tions (see R. Rivest, A. Shamir and L.M. Adleman, "A 
method for obtaining digital signatures and public key 
cryptosystems", Communications of ACM, 21(2), pp. 
120-126, 1978). 

[0003] A digital signature scheme is evaluated by its 
security and its signature generation/verification speed, 
so that a digital signature scheme with a higher security 
and a faster computation speed is considered as supe- 
rior. The security of the RSA signature is based on the 
intractability to compute the secret keys from public 
keys. A more secure system can be realized by making 
the key length of the public key longer. The RSA signa- 
ture involves the modular exponentiation calculations 
that have great computational complexity so that there 
has been a drawback that the signature generation/ver- 
ification requires a considerable amount of time. 
[0004] As a variation of the digital signature, there has 
been a proposition of an undeniable signature (see D. 
Chaum and H. van Antwerpen, "Undeniable Signa- 
tures", Advances in Crypttology - CRTPTO^, LNCS 
435, pp. 212-216, Springer-Verlag, 1990). In the unde- 
niable signature scheme, the legitimacy of the signature 
cannot be verified without communicating with a signer, 
so that the signature can be traced and the privacy of 
the signer can be protected. A standard application of 
the undeniable signature is a secure distribution of soft- 
ware, where a purchaser of the software can make a 
contact with a distributor who is also a signer and check 
that the software does not contain a virus entered by a 
third person. 

[0005] The most efficient undeniable signature 
scheme to date is the RSA-based undeniable signa- 
tures (see R. Gennaro, H. Krawezyk and T. Rabin, 
"RSA-Based Undeniable Signatures". Advances in 
Cryptology - CRYPTO ? 89, LNCS 435, pp. 212-216, 
Springer-Verlag, 1990). This scheme is based on the 
RSA signature so that it is also associated with the prob- 
lem of a large computational complexity. 
[0006] In this regard, a smartcard has been attracting 
much attentions lately as an easily portable device for 
storing secret keys securely. However, a smartcard has 
limited computational resources so that a considerable 



time would be required to execute the RSA-based un- 
deniable signature scheme on a smartcard. Moreover, 
in the case of using the undeniable signatures in a large 
scale information distribution system, there arises a 
5 problem of overloading the server. For these reasons, 
there has been demands for an efficient and high speed 
undeniable signature scheme. 

SUMMARY OF THE INVENTION 

[0007] It is therefore an object of the present invention 
to provide an undeniable digital signature scheme which 
is far more efficient compared with the conventional 
RSA-based undeniable signature scheme, and which is 
capable of resolving the problems associated with the 
conventional RSA-based undeniable signatures. 
[0008] According to one aspect of the present inven- 
tion there is provided a method of undeniable digital sig- 
nature, comprising the steps of: (a) generating public 
keys (D, P, k, t) and secret keys (D1 , q) at a signer side, 
by generating two. primes p, q (p, q > 4, p = 3 mod 4. 
Vp/3 < q), comput ing D1 = -p and D = D1q 2 obtaining 
a bit length k of V|D1|/4and a bit length t of q-(D1/q) 
where (D1/q) denotes Kronecker symbol, and generat- 
ing a kernel element P of a map from a class group CI 
(D) to a class group CI(D1); (b) generating a signature 
S for a message m at the signer side, by embedding the 
message m into a message ideal M in the class group 
CI(D) where a norm of the message ideal M is larger 
than k+1 bits, and mapping the message ideal M to the 
class group CI(D1) and pulling the mapped message 
ideal M back to the class group CI(D); and (c) verifying 
the signature S by: (cl) checking whether a norm N(S) 
of the signature S is smaller than k bits or not, and Judg- 
ing that the signature S is illegal when the norm N(S) is 
larger than k bits, or generating a challenge C when the 
norm N(S) is not larger than k bits, by computing the 
message ideal M of the message m, generating a ran- 
dom integer r smaller than t bits, computing H = (M/S) r , 
generating a random ideal B whose norm is smaller than 
k-1 bits, and computing the challenge C = BH, at a ver- 
ifier side; (c2) computing a response W by mapping the 
challenge C to the class group CI(D1) and pulling the 
mapped challenge C back to the class group CI(D) and 
squaring a result of mapping and pulling back, using the 
secret keys (D1 , q), at the signer side; and (c3) checking 
whether W = B 2 holds or not, and judging that the sig- 
nature S is legal when W = B 2 holds or that the signature 
S is illegal otherwise, at the verifier side. 
[0009] According to another aspect of the present in- 
vention there is provided a signer device for processing 
an undeniable digital signature, comprising: a key gen- 
eration unit for generating public keys (D, P, k, t) and 
secret keys (D1, q). by generating two primes p, q (p, q 
> 4, p = 3 mod 4, Vp/3 < q), computi ng D 1 = -p and D 
= D1q 2 , obtaining a bit length k of V|D1|/4 and a bit 
length t of q-(D1/q) where (Dl/q) denotes Kronecker 
symbol, and generating a kernel element P of a map 
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from a class group CI(D) to a class group CI(DI); a sig- 
nature generation unit for generating a signature S for 
a message m. by embedding the message m into a mes- 
sage ideal M in the class group C!(D) where a norm of 
the message ideal M is larger than k+1 bits, and map- 
ping the message ideal M to the class group CI(D1 ) and 
pulling the mapped message ideal M back to the class 
group CI(D); and a response generation unit for receiv- 
ing a challenge C = BH from a verifier side, where B is 
a random ideal whose norm is smaller than k-1 bits, H 
= (M/S) r t and r is a random integer smaller than t bits, 
computing a response W by mapping the challenge C 
to the class group CI(D1) and pulling the mapped chal- 
lenge C back to the class group CI(D) and squaring a 
result of mapping and pulling back, using the secret keys 
(D1 , q), and sending the response W to the verifier side, 
in a process for verifying the signature S. 
[001 0] According to another aspect of the present in- 
vention there is provided a verifier device for processing 
an undeniable digital signature, using a message m and 
a signature S received from a signer side, where public 
keys (D, P, k, t) and secret keys (D1, q) are defined by 
generating two primes p, q (p, q > 4, p = 3 mod 4, Vp/3 
< q), computing D1 = -p and D = D1q 2 , obtaining a bit 
length k of |D1|/4 and a bit length t of q-(D1/q) where 
(D1/q) denotes Kronecker symbol, and generating a 
kernel element P of a map from a class group CI(D) to 
a class group CI(D1). and the signature S for the mes- 
sage m is generated by embedding the message m into 
a message ideal M in the class group CI(D) where a 
norm of the message ideal M is larger than k+1 bits, and 
mapping the message ideal M to the class group CI(D1) 
and pulling the mapped message ideal M back to the 
class group CI(D), the verifier device comprising: a norm 
checking unit for checking whether a norm N(S) of the 
signature S is smaller than k bits or not, and judging that 
the signature S is illegal when the norm N(S) is larger 
than k bits; a challenge generation unit for generating a 
challenge C when the norm N(S) is not larger than k bits, 
by computing the message ideal M of the message m. 
generating a random integer r smaller than t bits, com- 
puting H = (M/S) r , generating a random ideal B whose 
norm is smaller than k-1 bits, and computing a challenge 
C = BH , and for sending the challenge C to a signer side; 
and a response checking unit for receiving a response 
W from the signer side, checking whether W = B 2 holds 
or not, and judging that the signature S is legal when W 
= B 2 holds or that the signature S is illegal otherwise, 
where the response W being obtained by mapping the 
challenge C to the class group CI(D1) and pulling the 
mapped challenge C back to the class group CI(D) and 
squaring a result of mapping and pulling back, using the 
secret keys (D1 , q). 

[001 1] According to another aspect of the present in- 
vention there is provided a computer usable medium 
having computer readable program codes embodied 
therein for causing a computer to function as a signer 
device for processing an undeniable digital signature, 



the computer readable program codes including: a first 
computer readable program code for causing said com- 
puter to generate public keys (D, P, k, t) and secret keys 
(D1, q), by generating two primes p, q (p, q > 4, p = 3 

5 mod 4, Vp/3< q), computing D1 = -p and D = Dlq 2 , ob- 
taining a bit length k of Vf5T]/4 and a bit length t of 
q-(D1/q) where (D1/q) denotes Kronecker symbol, and 
generating a kernel element P of a map from a class 
group CI(D) to a class group CI(D1); a second computer 

10 readable program, code for causing said computer to 
generate a signature S for a message m. by embedding 
the message m into a message ideal M in the class 
group CI(D) where a norm of the message ideal M is 
larger than k+1 bits, and mapping the message ideal M 

15 to the class group CI(D1) and pulling the mapped mes- 
sage ideal M back to the class group CI(D); and a third 
computer readable program code for causing said com- 
puter to receive a challenge C = BH from a verifier side, 
where B is a random ideal whose norm is smaller than 

20 k-1 bits, H = (M/S) r , and r is a random integer smaller 
than t bits, compute a response W by mapping the chal- 
lenge G to the class group CI(D1) and pulling the 
mapped challenge C back to the class group CI(D) and 
squaring a result of mapping and pulling back, using the 

25 secret keys (Dl, q), and send the response W to the ver- 
ifier side, in a process for verifying the signature S. 
[001 2] According to another aspect of the present in- 
vention there is provided a computer usable medium 
having computer readable program codes embodied 

30 therein for causing a computer to function as a verifier 
device for processing an undeniable digital signature, 
using a message m and a signature S received from a 
signer side, where public keys (D, P, k, t) and secret keys 
(D1, q) are defined by generating two primes p, q (p, q 

35 > 4, p = 3 mod 4, 7p/3< q), com putin g D1 = -p and D = 
D1q 2 , obtaining a bit length k of V|D1|/4 and a bit length 
t of q-(D1/q) where (D1/q) denotes Kronecker symbol, 
and generating a kernel element P of a map from a class 
group CI(D) to a class group CI(D1), and the signature 

40 S for the message m is generated by embedding the 
message m into a message ideal M in the class group 
CI(D) where a norm of the message ideal M is larger 
than k+1 bits, and mapping the message ideal M to the 
class group CI(D1) and pulling the mapped message 

45 ideal M back to the class group CI(D), the computer 
readable program codes including: a first computer 
readable program code for causing said computer to 
check whether a norm N(S) of the signature S Is smaller 
than k bits or not, and Judge that the signature S is illegal 

50 when the norm N(S) is larger than k bits; a second com- 
puter readable program code for causing said computer 
to generate a challenge C when the norm N(S) is not 
larger than k bits, by computing the message ideal M of 
the message m, generating a random integer r smaller 

55 than t bits, computing H = (M/S)\ generating a random 
ideal B whose norm is smaller than k-1 bits, and com- 
puting the challenge C = BH, and send the challenge C 
to a signer side; and a third computer readable program 
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code for causing said computer to receive a response 
W from the signer side, Check whether W = B 2 holds or 
not, and judge that the signature S is legal when W = B 2 
holds or that the signature S is illegal otherwise, where 
the response W being obtained by mapping the chal- 
lenge C to the class group CI(D1) and pulling the 
mapped challenge C back to the class group CI(D) and 
squaring a result of mapping and pulling back, using the 
secret keys (D1 , q). 

[001 3] According to another aspect of the present in- 
vention there is provided a method for providing a soft- 
ware vending service, comprising the steps of: (a) at- 
taching an undeniable digital signature to a software of- 
fered for downloading by clients at a software vendor 
side, according to an undeniable digital signature 
scheme based on a quadratic field; and (b) carrying out 
a process of verifying the undeniable digital signature at 
the software vendor side interactively with each client 
which has downloaded the software with the undeniable 
digital signature attached thereto, so as to prove that the 
software has not been altered from an original. 
[001 4] According to another aspect of the present in- 
vention there is provided a method for enabling a user 
to check authenticity of an e-commerce/information 
service provider, comprising the steps of: (a) obtaining 
public keys, secret keys, and a signature for the public 
keys from a certificate authority at the e-commerce/in- 
formation service provider, the signature being generat- 
ed by the certificate authority according to an undenia- 
ble digital signature scheme; (b) providing the public 
keys and the signature from the e-commerce/informa- 
tion service provider to the user, such that the user car- 
ries out a process of verifying the signature provided 
from the e-commerce/information service provider to 
the user, interactively with the certificate authority to 
prove authenticity of the public keys provided by the e- 
commerce/information service provider; and (c) receiv- 
ing an encrypted random data from the user, the en- 
crypted random data being encrypted by the user using 
the public keys, decrypting the encrypted random data 
using the secret keys, and returning a decrypted random 
data to the user, such that the user checks if the decrypt- 
ed random data coincides with an original random data 
to prove that the e-commerce/information service pro- 
vider has authentic secret keys. 

[001 5] According to another aspect of the present in- 
vention there is provided a method for enabling a user 
to check authenticity of an e-commerce/information 
service provider, comprising the steps of: (a) Issuing 
public keys, secret keys, and a signature for the public 
keys from a certificate authority to the e-commerce/in- 
formation service provider, the signature being generat- 
ed according to an undeniable digital signature scheme; 
and (b) carrying out a process of verifying the signature 
provided from the e-commerce/information service pro- 
vider to the user, at the certificate authority interactively 
with the user in order to prove authenticity of the public 
keys provided by the e-commerce/information service 



provider. 

[0016] According to another aspect of the present in- 
vention there is provided a method for enabling a user 
to check authenticity of an e-commerce/information 
5 service provider, comprising the steps of: (a) generating 
a signature for a hash value of a home page of the e- 
commerce/information service provider at a certificate 
authority according to an undeniable digital signature 
scheme; (b) posting the signature on a display of the 
home page of the e-commerce/information service pro- 
vider at a user side from the certificrate authority, such 
that the user can initiate a process of verifying the sig- 
nature by clicking the signature on the display; and (c) 
carrying out the process of verifying the signature at the 
certificate authority interactively with the user in order 
to prove authenticity of the e-commerce/information 
service provider. 

[001 7] Other features and advantages of the present 
invention will become apparent from the following de- 
scription taken in conjunction with the accompanying 
drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 



25 [0018] 

Fig. 1 is a table summarizing symbols used in de- 
scribing a quadratic field that is utilized in the unde- 
niable digital signature scheme according to the 
30 present invention. 

Fig. 2 is a table summarizing parameters used in 
the undeniable digital signature scheme according 
to the present invention. 

Fig. 3 is a flow chart showing a processing proce- 
ss dure of the undeniable digital signature scheme ac- 
cording to the present invention. 
Fig. 4 is a block diagram showing exemplary con- 
figurations of a signer device and a verifier device 
for carrying out the processing procedure of Fig. 3. 
40 Fig. 5 is a table summarizing a simulation result for 
comparing efficiency in the undeniable digital sig- 
nature scheme according to the present invention 
and the conventional RSA-type digital signature 
scheme. 

45 Fig. 6 is a schematic diagram showing an exempla- 
ry configuration of an undeniable digital signature 
system for a software vending service utilizing the 
undeniable digital signature scheme according to 
the present invention. 

50 Fig. 7 is a block diagram showing an exemplary 
configuration of an authentication server in the un- 
deniable digital signature system of Fig. 6. 
Fig. 8 is a schematic diagram showing an exempla- 
ry configuration of an undeniable digital signature 

55 system for an e-commerce service utilizing the un- 
deniable digital signature scheme according to the 
present invention. 

Fig. 9 is a schematic diagram showing an exempla- 
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ry configuration of an undeniable digital signature 
system for d news/rfiail providing service utilizing 
the undeniable digital signature scheme according 
to the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0019] Referring now to Fig. 1 to Fig. 9, one embodi- 
ment of the undeniable digital signature scheme accord- 
ing to the present invention will be described in detail, 
[0020] The undeniable digital signature scheme of the 
present invention utilizes a structure of the class group 
of a quadratic field, especially fast algorithms for switch- 
ing between the maximal order and the non-maximal or- 
der. 

[0021] First, the property of a quadratic field utilized 
in this undeniable digital signature scheme will be sum- 
marized briefly. 

[0022] Let p and q be two prime numbers greater than 
four that are given by p = 3 mod 4 and */p/3 < q, and 
define D1 = -p and D = D1q 2 , where D1 is a fundamental 
discriminant, D is a non-fundamental discriminant, and 
q is a conductor. Denoting the integer ring by Z, Op = Z 
+ (D+V5)/2Z gives a quadratic order with discriminant 
D. The class group with discriminant D will be denoted 
as CI(D). An ideal A in the class group CI(D) is repre- 
sented by A = (a, b) where w a" is a positive integer and 
"b" is an integer satisfying b 2 = D mod 4a. If -a < b £ a 
and |b| <, a s c = (fc^-D^a, and assuming that b > 0 when 
a = c or a = |b|, then (a, b) can be uniquely determined 
for the ideal A. A norm of the ideal A will be denoted as 
N(A) = a where A = (a, b). The definitions of various sym- 
bols described above are summarized in a table shown 
in Fig. 1. 

[0023] In the undeniable digital signature scheme of 
the present invention, there is a need to compute the 
modular exponentiation A r of an ideal A in the class 
group CI(D). For this computation of the modular expo- 
nentiation A r , it is possible to utilize the algorithms called 
"Multiply", "Square" and "Reduce" or their variant called 
"Square & Multiply" as disclosed in J. Buchmann, S. Du- 
ellmann and H.C. Williams, "On the complexity and ef- 
ficiency of a new key exchange system", Advances in 
Cryptology - CRYPTO '89. LNCS 434. pp. 597-616, 
Springer-Verlag, 1990. or the algorithms called "NUCO- 
MP" and "NUDUPL" as disclosed in D. Shanks, "On 
Gauss and Composition I, II", NATO ASI on Number 
Theory and Applications (R.A. Mollin, editor), pp. 
163-204, Kluwer Academic Press, 1989. 
[0024] Also, in the undeniable digital signature 
scheme of the present invention, the switching map be- 
tween the class group of maximal order Ci(D1) and the 
class group of non-maximal order CI(D) ptays an impor- 
tant role. The computations for this switching map only 
involve easy calculations such as that of the greatest 
common divisor so that they can be done very fast. For 
this switching map, it is possible to utilize the algorithms 



called "GoToMaxOrder"' and "GoToNonMaxOrder" as 
disclosed in D. Huehnlein, M.J. Jacobson, Jr., S. Paulus 
and T. Takagi, "A cryptosystem based on non-maximal 
imaginary quadratic orders with fast decryption", Ad- 

5 vances in Cryptology - EUROCRYPT '98, LNCS 1403, 
pp, 294-307, Springer-Verlag, 1998. 
[0025] Now, with references to Fig, 2 to Fig. 5, the 
processing of the undeniable digital signature scheme 
according to the present invention will be described in 

10 detail. 

[0020] Fig. 2 summarizes parameters used in this un- 
deniable digital signature scheme, Fig. 3 shows an over- 
all processing procedure of this undeniable digital sig- 
nature scheme, and Fig. 4 shows exemplary configura- 
te tions of a signer device and a verifier device for carrying 
out the processing procedure of Fig. 3. 
[0027] As shown in Fig. 3, this undeniable digital sig- 
nature scheme generally comprises three major stages 
of a key generation (step S10), a signature generation 
20 (step S20) and a signature verification (step S30). 
[0028] In the key generation stage, a key generation 
unit 11 of a signer device 10 carries out the followimg 
operation. Namely, two primes p, q (p, q > 4, p = 3 mod 
4, 7p/3< q) are generated, and D1 = - p an d D = D1q 2 
25 are computed. Then, a bit length k of 7|DTj/4 and a bit 
length t of q-(D1/q) where (D1/q) denotes Kronecker 
symbol, are obtained. Also, a kernel element P of the 
map from the class group CI(D) to the class group CI 
(D1) is generated using the algorithm "KERNEL" de- 
30 scribed below. Here, the algorithm "KERNEL" is used 
as an exemplary algorithm to generate a kernel element 
P(CI(D)-»CI(D1». Then, the public keys are defined as 
(D, P. k, t) while the secret keys are defined as (D1 , q), 
The public keys (D, P, k. t) and the secret keys (D1. q) 
35 so obtained are stored in a key memory unit 12 of the 
signer device 10. 

[0029] Note that the security of the quadratic field 
based cryptosystem that underlies this undeniable dig- 
ital signature scheme depends on the intractability of 

to calculating D1 and q from D which is the well known in- 
teger factorization problem. For further details, see D. 
Huehnlein, M.J. Jacobson, Jr., S. Paulus and T. Takagi, 
"A cryptosystem based on non-maximal imaginary 
quadratic orders with fast decryption", Advances in 

45 Cryptology-EUROCRYPT *98. LNCS 1.403, pp. 
294-307, Springer-Verlag, 1998. 
[0030] In the signature generation stage, a signature 
generation unit 14 of the signer device 10 carries out the 
following operation. Namely, a message m generated 

50 by a message generation unit 13 is embedded into a 
message ideal M = (u, b) inthe class group C 1(D) where 
a norm of the message ideal M is larger than k+1 bits, 
using the algorithm "Embedding" described below. 
Here, the algorithm "Embedding" is used as an exem- 

55 plary algorithm to embed a message m into a message 
ideal M. Then, the signature S for the message ideal M 
is generated by 
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S = GoToNpnMaxOcder(GoToMaxOrder(M)) 

using the algorithms "GoToMaxOrder" and "GoToNon- 
MaxOrder" described below, so as to obtain a pair (m f 
S) of the message and the signature. Here, the algo- 
rithms "GoToNonMaxOrder" and "GoToMaxOrder" are 
used as exemplary algorithms to map the ideal M to the 
class group C1(D1) of the fundamental discriminant D1 
and to pull the mapped ideal M back to the class group 
C1(D) of the non-fundamental discriminant D. This pair 
(m, S) is then sent to the verifier. 
[0031] The signature verification stage includes the 
following three steps. 

[0032] A verification step I (step S31 ) is carried out by 
a norm checking unit 21 and a challenge generation unit 
22 of a verifier device 20 as follows. First, whether a 
norm N(S) of the signature is smaller than k bits or not 
is checked by the norm checking unit 21. If it is larger 
than k bits, it implies that the signature is illegal. On the 
other hand, when it is not larger than k bits, the challenge 
generation unit 22 carries out the following operation. 
Namely, the message ideal M of the message m is com- 
puted using the algorithm "Embedding" described be- 
low. Then, a random integer r smaller than t bits is gen- 
erated, and H = (M/S) r is computed. Next, a random ide- 
al B whose norm is smaller than k-1 bits is generated 
using the algorithm "Embedding" described below, and 
C = BH is computed. This C is a challenge that is sent 
to the signer. Here, the algorithm "Embedding" is used 
as an exemplary algorithm to generate a random ideal 
B. 

[0033] A verification step II (step S32) is carried out 
by a response generation unit 15 of the signer device 
10 as follows. Namely, according to the secret keys (D1 , 
q) stored in the key memory unit 12, the response gen- 
eration unit 15 computes 

W = (GoToNonMaxOrder(GoToMaxOrder(C))) 2 

using the algorithms "GoToMaxOrder" and "GoToNon- 
MaxOrder" described below, and sends this W back to 
the verifier as a response. Here, the algorithms 
"GoToNonMaxOrder" and "GoToMaxOrder" are used as 
exemplary algorithms to map the ideal C to the class 
group CI(D1) of the fundamental discriminant D1 and to 
pull the mapped ideal C back to the class group CI(D) 
of the non-fundamental discriminant D. 
[0034] A verification step III (step S33) is carried out 
by a response checking unit 23 of the verifier device 20 
as follows. Namely, the response checking unit 23 
checks whether W = B 2 holds or not. If it holds, then the 
signature is legal, whereas otherwise the signature is 
illegal. 

[0035] It is to be noted that I. Biehl, S. Paulus and T. 
Takagi, "Efficient Undeniable Signature Schemes based 
on Ideal Arithmetic in Quadratic Orders", Conference on 



the Mathematics of Public Key Cryptography, June 
1999, also discloses an undeniable digital signature 
scheme but this scheme is different from the undeniable 
digital signature scheme of the present invention in that 

5 the signature verification stage of this reference uses 
the Zero-Knowledge Protocol for L^ er which is far more 
complicated and time consuming than the algorithm 
used in the undeniable digital signature scheme of the 
present invention. 

w [0036] The algorithm "KERNEL" to generate a kernel 
element P(CI(D)-»CI(D1)) is as follows. 

Algorithm KERNEL 

15 [0037] Input: fundamental discriminant D1 , conductor 

q 

Output: ideal P e (CI(D)->CI(D1)) 

1 . r Generate a = (x+y VdT )/2 */ 

20 1.1. Generate integers x, y (< */D1 ) 

2. r Standard representation of aO = (A, B) */ 

2.1. Find integer (m, kn) such that 

m = ky+n(x+yD1)/2 
25 2.2. A <r- KxZ-yZDIJlMm 2 

2.3. B f- (kx+n(x+y)D1/2)/m mod 2A, (-A<B<A) 

3. /* Compute GoToNonMaxOrder(A) = (a, b) */ 

30 3.i. a <-A 

3.2. b <r- Bq mod 2A, (-a<b<a) 

4. r Reduce (a, b) */ 

35 4.1. c<- (D-b 2 )/4a 

4.2. WHILE {-a<b<a<c} or {0<b<a=c} DO 

4.2.1. Find p,. X such that -a<p=b+2Xa<a 

4.2.2. (a, b, c) «- (c-(b+n)A/2, a) 

40 

4.3. IF a=c AND b<0 THEN b <- -b 

4.4. RETURN (a, b) 

[0038] The algorithm "Embedding" to embed a mes- 
45 sage m into a message idea! M is as follows. 

Algorithm Embedding 

[0039] 

50 

Input: non-fundamental discriminant D, 
message m smaller than k bits 
Output: message ideal M G CI(D) 

55 1 . Generate u which is a smallest quadratic residue 
among prime numbers larger than m 

2. Find b such that t>2=D mod 4u, (-u<b<u) 

3. RETURN M = (u, b) 
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[0040] The algorithm "GoToNonMaxOrder" and 
"GoToMaxOrder* to map the ideal to the class group CI 
(D1) of the fundamental discriminant D1 and to pull the 
mapped ideal back to the class group CI(D) of the non- 
fundamental discriminant D are as follows. 

Algorithm GoToNonMaxOrder 

[0041] 

Input: reduced idea! (A, B) G CI(D1), conductor q 
Output: reduced ideal (a, b) G CI(D) such that 
(a, b) = T(v) where y; CI(D1)->CI(D) and 
v is an element of CI(D) 

1. a<-A 

2. b <- Bq mod 2a f (-a<b<a) 

3. RETURN (a, b) 

Algorithm GoToMaxOrder 
[0042] 

Input: reduced ideal (a, b) e CI(D), 

fundamental discriminant D1 f conductor q 

Output: reduced ideal (A, B) ■ CI(D1) such that 
(A, B) = O(a) where &: CI(D)-»CI(D1) and 

a is an element of CI(D1) 

1. r Compute (A, B) = (a, b) D1 */ 

1.2. bu <r- D mod 2 

1 .3. Solve 1 = itq+Xa for |i,X6Z 

using the extended Euclidean algorithm 

1 .4. B <— bn+ab 0 X mod 2a, (-A<B<A) 

2. r Reduce (A, B) V 

2.1. C<-(D1-B 2 )/4A 

2.2. WHILE {-A<B£A<C} or {0<B<A=C} DO 

2.2.1. Find \l, X G Z such that 
-A=£p=B+2AA<A 

using division with remainder 

2.2.2. (A, B f C) <- (C-(B+n)X/2, ji, A) 

2.3. IF A=C AND B<0 THEN B < — B 

2.4. RETURN (A, B) 

[0043] In this undeniable digital signature scheme, 
the required amount of computations is small so that the 
signature verification can be done very fast even when 
the public keys are made very long. 
[0044] To demonstrate the effectiveness of this unde- 
niable digital signature scheme, this undeniable digital 
signature scheme and the conventional RSA-type un- 
deniable digital signature scheme were implemented in 



form of software and the running times of each step in 
these two schemes were compared, for an exemplary 
case of using the bit length of the public key equal to 
1024 bits. Fig. 5 summarizes the result of this simula- 

5 tion. As can be seen from Fig. 5, the key generation and 
the signature verification of the undeniable digital sig- 
nature scheme of the present invention are much faster 
than those of the conventional RSA-type undeniable 
digital signature scheme. 

10 [0045] Moreover, when the bit length of the public key 
is doubled, from 1024 bits to 2048 bits for example, the 
processing time of the undeniable digital signature 
scheme of the present invention becomes only twice 
longer, whereas the processing time of the conventional 
RSA-type undeniable digital signature scheme be- 
comes about eight times longer. 

[0046] Next, with references to Fig. 6 to Fig. 9, exem- 
plary practical applications of the undeniable digital sig- 
nature scheme according to the present invention will 

20 be described in detail. 

[0047] Fig. 6 shows a schematic configuration of an 
undeniable digital signature system for a software vend- 
ing service, which comprises clients 101 and 102 that 
are connected to a communication network 108 such as 

25 the Internet, and authentication servers 105 and soft- 
ware vending servers 106 that are connected to the 
communication network 108 through a firewall 109. 
[0048] In this system, the authentication server 105 
issues a secret key of the undeniable signature for the 

30 software vending sjerver 106. The authentication server 
105 also attaches a software vendor's undeniable digital 
signature to each software offered for downloading at 
the software vending server 106. When the client 10] or 
102 downloads the software with the undeniable digital 

35 signature attached thereto from the software vending 
server 106, the client 101 or 102 can prove that the soft- 
ware has not been altered from an original (the software 
is not infected by any computer virus) by carrying out 
the process for verifying the undeniable digital signature 

*o interactively with the authentication server 105. Thus in 
this system the client 101 or 102 is the verifier and the 
authentication server 105 is the signer. In this way, it be- 
comes possible to detect a downloaded software that is 
infected by any computer virus. 

45 [0049] When the undeniable digital signature scheme 
according to the present invention is used in this system, 
the authentication server is only required to carry out the 
verification step II, which can be done very fast as al- 
ready noted above, so that the processing load on the 

50 authentication server can be reduced considerably even 
in the case of a large scale system. 
[0050] Furthermore, in the undeniable digital signa- 
ture scheme of the present invention, a time required for 
the key generation is about 1 second which is much 

55 shorter than about 30 minutes required in the conven- 
tional RSA-type digital signature scheme. When the 
conventional RSA-type digital signature scheme is uti- 
lized in signing a large number of different softwares, it 
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has been practically inevitable to use the same key 
many times because the "key generation Lakes a rather 
long time. However, this use of the same key many times 
can be potentially problematic from a viewpoint of the 
security because, once the key used for one software is 
attacked somehow, the security of all the softwares for 
which the same key has been used is also lost. In this 
regard, in the undeniable digital signature scheme of the 
present invention, the key generation takes only a very 
short time so that there is no need to use the same key 
many times and it is possible to use each key only once 
so as to further improve the security. 
[0051] In the system of Fig. 6, each authentication 
server can have an exemplary configuration as shown 
in Fig. 7, in which a network interface 201 , a CPU (Cen- 
tral Processing Unit) 202, a main memory 203, an un- 
deniable digital signature key storage area 204, console 
and display interfaces 205, a secondary memory device 
206 such as a magnetic disk device, and a supplemen- 
tary memory device 207 such as a magneto-optic disk 
device are interconnected through a bus. Here, the un- 
deniable digital signature key storage area 204 is con- 
nected to the bus through an access control circuit 208, 
and an undeniable digital signature processing program 
209 is stored in the secondary memory device 206. 
[0052] Fig. 8 shows a schematic configuration of an 
undeniable digital signature system for an e-commerce 
service. 

[0053] In recent years, in conjunction with the rapid 
spread of the e-commerce on the Internet, troubles be- 
tween customers and e-commerce stores are also in- 
creasing. For instance, there is a trouble of a product 
delivery failure despite of the proper payment made by 
the customer. In order to eliminate such troubles, it is 
effective for the e-commerce store to obtain a certificate 
issued by the trusted certificate authority and give this 
certificate to the customer at a time of purchase con- 
tract. Here, it is suitable to utilize the undeniable signa- 
ture for the certificate so that the certificate cannot be 
reused illegally. 

[0054] In this system of Fig. 8, an e-commerce store 

302 makes a certification request to a certificate author- 
ity 303 in order to obtain a certificate. In response to this 
certification request, the certificate authority 303 tests 
the validity of the e-commerce store 302. If the e-com- 
merce store 302 passes the test, the certificate authority 

303 generates a pair of secret keys and public keys of 
a digital signature for the e-commerce store 302. The 
cetificate authority 303 also generates a signature for 
the public keys using the undeniable digital signature 
scheme of the present invention, and sends a set of the 
secret keys, the public keys, and the signature as a cer- 
tificate to the e-commerce store 302. 

[0055] Then, before purchasing a product from the e- 
commerce store 302, a customer 301 checks the au- 
thenticity of the e-commerce store 302 as follows. 
Namely, the customer 301 first obtains the public keys 
and the signature from the e-commerce store 302. 



Then, the customer 301 makes a store authentication 
request to the certificate autority 303. In response to this 
store authentication request, the signature verification 
of the undeniable digital signature is carried out by the 

5 certificate authority 303 as a signer and the customer 
301 as a verifier. If the signature verification fails, it im- 
plies that the public keys are not authentic ones issued 
by the certificate authority 303 so that the customer 301 
should not trust the e-commerce store 302. 

10 [0056] On the other hand, if the signature verification 
succeeds, it implies that the public keys are authentic 
ones issued by the certificate authority 303. In this case, 
the customer 301 next generates a random data, en- 
crypts it using the public keys of the e-commerce store 

15 302, and sends the encrypted random data to the e- 
commerce store 302. In response, the e-commerce 
store 302 decrypts the encryted random number using 
the secret keys of the e-commerce store 302, and re- 
turns the decrypted random data to the customer 301. 

20 The customer 301 then checks if the decrypted random 
data coincides with the original randomdata. If they co- 
incide, it implies that the e-commerce store 302 also has 
the authentic secret keys issued by the certificate au- 
thority 303 that corresponds to the public keys so that 

25 the customer 301 can regard the e-commerce store 302 
as trustworthy and make a product purchase from the 
e-commerce store 302. In this way, it becomes possible 
to check the authenticity of the e-commerce service pro- 
vider. 

30 [0057] The above described procedure may be mod- 
ified as follows. 

[0058] Namely, in the system of Fig. 8, the e-com- 
merce store 302 has a home page, and makes a certi- 
fication request to the certificate authority 303 in order 

35 to obtain a certificate of the home page. In response to 
this certification request, the certificate authority 303 
tests the validity of the e-commerce store 302. If the e- 
commerce store 302 passes the test, the certificate au- 
thority 303 generates a signature for the hash value of 

40 the home page using the undeniable digital signature 
scheme of the present invention, and posts the signa- 
ture as a certificate on the home page of the e-com- 
merce store 302 as displayed on the customer's brows- 
er. Here, the certificate is not directly issued to the e- 

^5 commerce store 302 but made to appear on a display 
of the home page of the e-commerce store 302 on the 
customer's browser, so as to prevent an illegal copy of 
the certificate by the e-commerce store 302. 
[0059] Then, before purchasing a product from the e- 

50 commerce store 302, the customer 301 checks the au- 
thenticity of the e-commerce store 302 as follows. 
Namely, the customer 301 clicks the certificate posted 
on the home page of the e-commerce store 302. In re- 
sponse, the signature is sent to the customer 301 and 

55 the customer 301 is linked to the certificate authority 
303. Then, the signature verification of the undeniable 
digital signature is carried out by the certificate authority 
303 as a signer and the customer 301 as a verifier. If the 
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signature verification fails, it implies that the home page 
is not authentic one whose hash value is signed by the 
certificate authority 303 so that the customer 301 should 
not trust the e-commerce' store 302. On the other hand, 
if the signature verification succeeds, the customer 303 5 
can regard the e-commerce store 302 as trustworthy 
and make a product purchase from the e-commerce 
store 302. In this way, it also becomes possible to check 
the authenticity of the e-commerce service provider. 
[0060] Fig. 9 shows a schematic configuration of an 
undeniable digital signature system for a news/mail pro- 
viding service. 

[0061] In recent years, there are increasing threats of 
SPAM mails, a computer virus infection through mails 
or attached files, and a social disorder due to unreliable 
news. In order to eliminate such threats, the news/mail 
provider can attach an undeniable signature to the pro- 
vided news/mails, such that the recipient can open/read 
the received news/mails only after checking the authen- 
ticity of the provider with the trusted certificate authority. 
[0062] In this system of Fig. 9, a news/mail provider 
402 makes a certification request to a certificate author- 
ity 403 in order to obtain a certificate. In response to this 
certification request, the certificate authority 403 tests 
the validity of the news/mail provider 402. If the news/ 
mail provider 402 passes the test, the certificate author- 
ity 403 generates a pair of secret keys and public keys 
of a digital signature for the news/mail provider 402. The 
cetificate authority 403 also generates a signature for 
the public keys using the undeniable digital signature 
scheme of the present invention, and sends a set of the 
secret keys, the public keys, and the signature as a cer- 
tificate to the news/mail provider 402. 
[0063] Then, before opening news/mails received 
from the news/mail provider 402, a reader 401 checks 
the authenticity of the news/mail provider 402 as follows. 
Namely, the reader 401 first obtains the public keys and 
the signature from the news/mail provider 402. Then, 
the reader 401 makes a provider authentication request 
to the certificate autority 403. In response to this store 
authentication request, the signature verification of the 
undeniable digital signature is carried out by the certifi- 
cate authority 403 as a signer and the reader 401 as a 
verifier. If the signature verification fails, it implies that 
the public keys are not authentic ones issued by the cer- 
tificate authority 403 so that the reader 401 should not 
trust the news/mail provider 402. 
[0064] On the other hand, if the signature verification 
succeeds, it implies that the public keys are authentic 
ones issued by the certificate authority 403. In this case, 
the reader 401 next generates a random data, encrypts 
it using the public keys of the news/mail provider 402, 
and sends the encrypted random data to the news/mail 
provider 402. In response, the news/mail provider 402 
decrypts the encryted random number using the secret 
keys of the news/mall provider 402, and returns the de- 
crypted random data to the reader 401 . The reader 401 
then checks if the decrypted random data coincides with 



the original random data. If they coincide, it implies that 
the news/mail provider402 aJso has the authentic secret 
keys issued by the certificate authority 403 that corre- 
sponds to the public keys so that the reader 401 can 
regard the news/mail provider 402 as trustworthy and 
open the news/mails received from the news/mail pro- 
vider 402. In this way, it becomes possible to check the 
authenticity of the information service provider. 
[0065] The above described procedure may be mod- 
ified as follows. 

[0066] Namely, in the system of Fig. 9, the news/mail 
provider 402 has a home page, and makes a certifica- 
tion request to the certificate authority 403 in order to 
obtain a certificate of the home page. In response to this 
certification request, the certificate authority 403 tests 
the validity of the news/mail provider 402. if the news/ 
mail provider 402 passes the test, the certificate author- 
ity 403 generates a signature for the hash value of the 
home page using the undeniable digital signature 
scheme of the present invention, and posts the signa- 
ture as a certificate on the home page of the news/mail 
provider 402 as displayed on the reader's browser. 
Here, the certificate is not directly issued to the news/ 
mail provider 402 but made to appear on a display of 
the home page of the news/mail provider 402 on the 
reader's browser, so as to prevent an illegal copy of the 
certificate by the news/mail provider 402. 
[0067] Then, before opening news/mails received 
from the news/mail provider 402, the reader 401 checks 
the authenticity of the news/mail provider 402 as follows. 
Namely, the reader 401 clicks the certificate posted on 
the home page of the news/mail provider 402. In re- 
sponse, the signature is sent to the reader 401 and the 
reader 401 is linked to the certificate authority 403. 
Then, the signature verification of the undeniable digital 
signature is carried out by the certificate authority 403 
as a signer and the reader 401 as a verifier. If the sig- 
nature verification fails, it implies that the home page is 
not authentic one whose hash value is signed by the 
certificate authority 403 so that the reader 401 should 
not trust the news/mail provider 402. On the other hand, 
if the signature verification succeeds, the reader 401 
can regard the news/mail provider 402 as trustworthy 
and open the news/mails rewceived from the news/mail 
provider 402. In this way, It also becomes possible to 
check the authenticity of the e-commerce service pro- 
vider. 

[0068] It Is to be noted that the above described em- 
bodiments according to the present invention may be 
conveniently implemented using a conventional general 
purpose digital computer programmed according to the 
teachings of the present specification, as will be appar- 
ent to those skilled in the computer art. Appropriate soft- 
ware coding can readily be prepared by skilled program- 
mers based on the teachings of the present disclosure, 
as will be apparent to those skilled in the software art. 
[0069] In particular, each of the signer device and the 
verifier device of the above described embodiments can 
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be conveniently implemented in a form of a software 
package. 

[0070] Such a software package can be a computer 
program product which employs a storage medium in- 
cluding stored computer code which is used to program 5 
a computer to perform the disclosed function and proc- 
ess of the present invention. The storage medium may 
include, but is not limited to, any type of conventional 
floppy disks, optical disks, CD-ROMs, magneto-optical 
disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic 10 
or optical cards, or any other suitable media for storing 
electronic instructions. 

[0071] it is also to be noted that, besides those al- 
ready mentioned above, many modifications and varia- 
tions of the above embodiments may be made without 15 
departing from the novel and advantageous features of 
the present invention. Accordingly, all such modifica- 
tions and variations are intended to be included within 
the scope of the appended claims. 



Claims 

1. A method of undeniable digital signature, compris- 
ing the steps of: 25 

(a) generating public keys (D, P, k f t) and secret 
keys (D1 , q) at a signer side, by generating two 
primes p, q (p, q > 4, p = 3 mod 4, Jp/3 < q), 
computing D1 = -p an d D = D1q 2 , obtaining a 30 
bit length k of V|D1|/4 and a bit length t of 
q-(D1/q) where (D1/q) denotes Kronecker sym- 
bol, and generating a kernel element P of a map 
from a class group CI(D) to a dass group Ci 
(D1); 35 

(b) generating a signature S for a message m 
at the signer side, by embedding the message 
m into a message ideal M in the class group CI 
(D) where a norm of the message ideal M is 
largerthan k+1 bits, and mapping the message 40 
ideal M to the class group CI(D1) and pulling 

the mapped message ideal M back to the class 
group CI(D): and 

(c) verifying the signature S by: 

45 

(c1) checking whether a norm N(S) of the 
signature S is smaller than kbits or not, and 
judging that the signature S is illegal when 
the norm N(S) is largerthan k bits, or gen- 
erating a challenge C when the norm N(S) so 
is not larger than k bits, by computing the 
message ideal M of the message m, gen- 
erating a random integer r smaller than t 
bits, computing H = (M/S) r , generating a 
random ideal B whose norm is smaller than 55 
k-1 bits, and computing the challenge C = 
BH, at a verifier side; 
(c2) computing a response W by mapping 



the challenge C to the class group CI(D1) 
and pulling the mapped challenge C back 
to the class group CI(D) and squaring a re- 
sult of mapping and pulling back, using the 
secret keys (D1 , q). at the signer side; and 
(c3) checking whether W = B 2 holds or not, 
and judging that the signature S is legal 
when W = B 2 holds or that the signature S 
is illegal otherwise, at the verifier side. 

2. A signer device for processing an undeniable digital 
signature, comprising: 

a key generation unit for generating public keys 
(D, P. k, t) and secret keys (D1, q), by generat- 
ing two primes p. q (p, q > 4, p = 3 mod 4, Vp/3 
< q), computing D1 = -p and D = D1q 2 , obtaining 
a bit length k of |D1|/4 and a b1c length t of 
q-(D1/q) where (D1/q) denotes Kronecker sym- 
bol, and generating a kernel element P of a map 
from a class group CI(D) to a class group CI 
(D1); 

a signature generation unit for generating a sig- 
nature S for a message m, by embedding the 
message m into a message ideal M in the class 
group Ci(D) where a norm of the message ideal 
M is largerthan k+1 bits, and mapping the mes- 
sage ideal M to the class group CI(D1) and pull- 
ing the mapped message ideal M back to the 
class group CI(D): 
and 

a response generation unit for receiving a chal- 
lenge C = BH from a verifier side, where B is a 
random ideal whose norm is smaller than k-1 
bits, H = (M/S) r , and r is a random integer small- 
er than t bits, computing a response W by map^ 
ping the challenge C to the class group CI(D1) 
and pulling the mapped challenge C back to the 
class group CI(D) and squaring a result of map- 
ping and pulling back, using the secret keys 
(D1 , q), and sending the response W to the ver- 
ifier side, in a process for verifying the signature 
S. 

3. A verifier device for processing an undeniable dig- 
ital signature, using a message m and a signature 
S received from a signer side, where public keys (D, 
P, k, t) and secret keys (D1, q) are defined by gen- 
erating two primes p, q (p, q > 4, p = 3 mod 4, Vp/3 
< q), computing D1 = -p and D = D1q 2 , obtaining a 
bit iength k of V|D1|/4 and a bit length t of q-(D1/q) 
where (D1/q) denotes Kronecker symbol, and gen- 
erating a kernel element P of a map from a class 
group CI(D) to a class group CI(D1). and the signa- 
ture S for the message m is generated by embed- 
ding the message m into a message ideal M in the 
class group CI(D) where a norm of the message ide- 
al M is larger than k+1 bits, and mapping the mes- 
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sage ideal M to the class group CI(D1) and pulling 
the mapped message ideal M back to the class 
group CI(D), the verifier device comprising: 

a norm checking unit for checking whether a 5 
norm N(S) of the signature S is stualler than k 
bits or not, and judging that the signature S is 
illegal when the norm N(S) is larger than k bits: 
a challenge generation unit for generating a 
challenge C when the norm N(S) is not larger to 
than k bits, by computing the message ideal M 
of the message m, generating a random integer 
r smaller than t bits, computing H = (M/S) r f gen- 
erating a random ideal B whose norm is smaller 
than k-1 bits, and computing a challenge C = 15 
BH, and for sending the challenge C to a signer 
side; and 

a response checking unit for receiving a re- 
sponse W from the signer side, checking 
whether W = B 2 holds or not, and judging that 20 
the signature S is legal when W = B 2 holds or 
that the signature S is illegal otherwise, where 
the response W being obtained by mapping the 
challenge C to the class group CI(D1 ) and pull- 
ing the mapped challenge C back to the class 25 
group CI(D) and squaring a result of mapping 
and pulling back, using the secret keys (D1 , q). 

A computer usable medium having computer read- 
able program codes embodied therein for causing 30 
a computer to function as a signer device for 
processing an undeniable digital signature, the 
computer readable program codes including: 

a first computer readable program code for 35 
causing said computer to generate public keys 
(D, P, k, t) and secret keys (D1 F q), by generat- 
ing two primes p, q (p, q > 4, p = 3 mod 4, Jp/Z< 
q), computing D1 = -p and D = D1q 2 , obtaining 
a bit length k of VpT|/4 and a bit length t of *o 
q-(D1/q) where (D1/q) denotes Kronecker sym- 
bol, and generating a kernel element P of a map 
from a class group CI(D) to a class group CI 
(D1); 

a second computer readable program code for 45 
causing said computer to generate a signature 
S for a message m, by embedding the message 
m into a message ideal M in the class group CI 
(D) where a norm of the message ideal M is 
larger than k+ 1 bits, and mapping the message so 
ideal M to the class group CI(D1) and pulling 
the mapped message ideal M back to the class 
group CI(D); and 

a third computer readable program code for 
causing said computer to receive a challenge 55 
C = BH from a verifier side, where B is a random 
ideal whose norm is smaller than k-1 bits, H = 
(M/S) r , and r is a random integer smaller than t 



bits, compute a response W by mapping the 
challenge C to the class group CI(D1) and pull- 
ing the mapped challenge C back to the class 
group CI(D) and squaring a result of mapping 
and pulling back, using the secret keys (D1 , q), 
and send the response W to the verifier side, in 
a process for verifying the signature S. 

5. A computer usable medium having computer read- 
able program codes embodied therein for causing 
a computer to function as a verifier device for 
processing an undeniable digital signature, using a 
message m and a signature S received from a sign- 
er side, where public keys (D, P, k, t} and secret keys 
(D1, q) are defined by generating two primes p, q 
(p, q > 4, p = 3 mod 4, Vp/3< q), computing D1 = -p 
and D = D1q 2 , obtaining a bit length k of V[Dlj/4 
and a bit length t of q-(D1/q) where (D1/q) denotes 
Kronecker symbol, and generating a kernel element 
P of a map from a class group CI(D) to a class group 
CI(D1), and the signature S for the message m is 
generated by embedding the message m into a 
message idea! M in the class group CI(D) where a 
norm of the message Ideal M is larger than k+1 bits, 
and mapping the message ideal M to the class 
group CI(D1) and pulling the mapped message ide- 
al M back to the class group CI(D). the computer 
readable program codes including: 

a first computer readable program code for 
causing said computer to check whether a 
norm N(S) of the signature S is smaller than k 
bits or not, and judge that the signature S is il- 
legal when the norm N(S) is larger than k bits; 
a second computer readable program code for 
causing said computer to generate a challenge 
C when the norm N(S) is not larger than k bits, 
by computing the message ideal M of the mes- 
sage m, generating a random integer r smaller 
than t bits, computing H = (M/S) r , generating a 
random ideal B whose norm is smaller than k- 
1 bits, and computing the challenge C = BH, 
and send the challenge C to a signer side; and 
a third computer readable program code for 
causing said computer to receive a response 
W from the signer side, check whether W = B 2 
holds or not, and judge that the signature S is 
legal when W = B 2 holds or that the signature 
S is illegal otherwise, where the response W 
being obtained by mapping the challenge C to 
the class group CI(D1) and pulling the mapped 
challenge C back to the class group CI(D) and 
squaring a result of mapping and pulling back, 
using the secret keys (D1, q). 

6. A method for providing a software vending service, 
comprising the steps of: 
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The method of claim 6, wherein the step (a) attach- 
es the undeniable digital signature using different 
sets of public keys and secret keys for different soft- 
wares. 

A method for enabling a user to check authenticity 
or an e-commerce/information service provider, 
comprising the steps of: 



(a) attaching an undeniable digital signature to 9. 
a software offered for downloading by clients at 

a software vendor side, according to an unde- 
niable, digital signature scheme based on a 
quadratic field; and 5 

(b) carrying out a process of verifying the un- 10. 
deniable digital signature at the software ven- 
dor side interactively with each client which has 
downloaded the software with the undeniable 

digital signature attached thereto, so as to 10 
prove that the software has not been altered 
from an original. 

The method of claim 6, wherein the step (a) furtner 
includes the steps of: is 

(a1) generating public keys (D, P, k, t) and se- 
cret keys (D1 , q) at the software vendor side, 
by generating two primes p, q (p, q > 4, p = 3 
mod 4, Vp/3 < q), computing D1 = -p and D = 20 
D1q 2 , obtaining a bit length k of VjDlj/4 and a 
bit length t of q-(D1/q) where (D1/q) denotes 
Kronecker symbol, and generating a kernel el- 
ement P of a map from a class group CI(D) to 
a class group CI(D1); and 25 
(a2) generating a signature S for a message m 
representing the software at the software ven- 
dor side, by embedding the message m into a 
message ideal M in the class group CI(D) where 
a norm of the message ideal M is larger than 30 
k+1 bits, and mapping the message ideal M to 
the class group CI(D1) and pulling the mapped 
message ideal M back to the class group CI(D). 

The method of claim 7, wherein the step (b) further 35 
includes the steps of: 11. 



(b1) checking whether a norm N(S) of the sig- 
nature S is smaller than k bits or not, and judg- 
ing that the signature S is illegal when the norm 40 
N(S) is larger than k bits, or generating a chal- 
lenge C when the norm N(S) is not larger than 
k bits, by computing the message ideal M of the 
message m, generating a random integer r 
smaller than t bits, computing H = (M/S) r , gen- 45 
erating a random ideal B whose norm is smaller 
than k-1 bits, and computing the challenge C = 
BH, at a client side; 

(b2) computing a response W by mapping the 
challenge C to the class group CI(D1 ) and pull- so 
ing the mapped challenge C back to the class 
group CI(D) and squaring a result of mapping 
and pulling back, using the secret keys (D1 , q), 
at the software vendor side; and 
(b3) checking whether W = B 2 holds or not, and 55 
judging that the signature S is legal when W = 
B 2 holds or that the signature S is illegal other- 
wise, at the client side. 



(a) obtaining public keys, secret keys, and a 
signature for the public keys from a certificate 
authority at the e-commerce/information serv- 
ice provider, the signature being generated by 
the certificate authority according to an unde- 
niable digital signature scheme; 

(b) providing the public keys and the signature 
from the e-commerce/information service pro- 
vider to the user, such that the user carries out 
a process of verifying the signature provided 
from the e-commerce/information service pro- 
vider to the user, interactively with the certifi- 
cate authority to prove authenticity of the public 
keys provided by the e-commerce/information 
service provider; and 

(c) receiving an encrypted random data from 
the user, the encrypted random data being en- 
crypted by the user using the public keys, de- 
crypting the encrypted random data using the 
secret keys, and returning a decrypted random 
data to the user, such that the user checks if 
the decrypted random data coincides with an 
original random data to prove that the e-com- 
merce/information service provider has au- 
thentic secret keys. 

The method of claim 10, wherein at the step (a) the 
signature is generated according to an undeniable 
digital signature scheme based on a quadratic field. 

1 2. The method of claim 1 1 , wherein at the step (a) the 
public keys, the secret keys, and the signature are 
generated by the steps of: 

(a1) generating the public keys (D, P, k, t) and 
the secret keys (D1, q) at the certificate author- 
ity, by generating two primes p, q (p, q > 4, p = 
3 mod 4, Vp/3 < q), computing D1 = -p and D 
= D1q 2 , obtaining a bit length k of V|DTl/4 and 
a bit length t of q-(D1/q) where (D1/q) denotes 
Kronecker symbol, and generating a kernel el- 
ement P of a map from a class group CI(D) to 
a class group CI(D1); and 
(a2) generating the signature S for the public 
keys at the certificate authority, by embedding 
the public keys into a message ideal M in the 
class group CI(D) where a norm of the message 
ideal M is larger than k+1 bits, and mapping the 
message ideal M to the class group CI(D1) and 



23 



EP1 185 025 A1 



24 



pulling the mapped message ideal M back to 
the clas's group Cl(D). 



13. The method of claim' 12, wherein at the step (b) the 



provider, the signature being generated ac- 
cording to an undeniable digital signature 
scheme; and 

(b) carrying out a process of verifying the sig- 
nature provided from the e-commerce/informa- 
tion service provider to the user, at the certifi- 
cate authority interactively with the user in or- 
der to prove authenticity of the public keys pro- 
vided by the e-commerce/information service 



D1q 2 , obtaining a bit length k of 7|D1|/4 and a 
bit length t of q-(D1/q) where (D1/q) denotes 
Kronecker symbol, and generating a kernel el- 
ement P of a map from a class group CI(D) to 
a class group CI(D1); and 
(a2) generating the signature S for the public 
keys at the certificate authority, by embedding 
the public keys into a message ideal M in the 
class group CI(D) where a norm of the message 
ideal M is larger than k+1 bits, and mapping the 
message ideal M to the class group CI(D1) and 
pulling the mapped message ideal M back to 
the class group CI(D). 

1 7. The method of claim 1 6. wherein at the step (b) the 
signature is verified by the steps of: 

(b1) checking whether a norm N(S) of the sig- 
nature S is smaller than k bits or not, and judg- 
ing that the signature S is illegal when the norm 
N(S) is larger than k bits, or generating a chal- 
lenge C when the norm N(S) is not larger than 
k bits, by computing the message ideal M of the 
public keys, generating a random integer r 
smaller than t bits, computing H = (M/S) r , gen- 
erating a random ideal B whose norm is smaller 
than k-1 bits, and computing the challenge C = 
BH, at a user side; 

(b2) computing a response W by mapping the 
challenge C to the class group CI(D1) and pull- 
ing the mapped challenge C back to the class 
group CI(D) and squaring a result of mapping 
and pulling back, using the secret keys (D1, q), 
at a certificate authority side: and 
(b3) checking whether W = B 2 holds or not, and 
judging that the signature S is legal when W = 
B 2 holds or that the signature S is illegal other- 
wise, at the user side. 

40 18. A method for enabling a user to check authenticity 
of an e-commerce/infbrmation service provider, 
comprising the steps of: 

(a) generating a signature for a hash value of a 
home page of the e-commerce/information 
service provider at a certificate authority ac- 
cording to an undeniable digital signature 
scheme; 

(b) posting the signature on a display of the 
home page of the e-commerce/information 
service provider at a user side from the certifi- 
cate authority, such that the user can initiate a 
process of verifying the signature by clicking 
the signature on the display; and 

(c) carrying out the process of verifying the sig- 
nature at the certificate authority interactively 
with the user in order to prove authenticity of 
the e-cocnmerce/information service provider. 



provider. 45 

15. The method of claim 14, wherein at the step (a) the 
signature is generated according to an undeniable 
digital signature scheme based on a quadratic field. 

50 

16. The method of claim 15, wherein at the step (a) the 
public keys, the secret keys, and the signature are 
generated by the steps of: 

(a1) generating the public keys (D. P, k, t) and 55 
the secret keys (D1 , q) at the certificate author- 
ity, by generating two primes p, q (p, q > 4, p = 
3 mod 4, Vp/3< q)» computing D1 = -p and D = 



signature is verified by the steps of: 5 

(b1) checking whether a norm N(S) of the sig- 
nature S is smaller than k bits or not, and judg- 
ing that the signature S is illegal when the norm 
N(S) is larger than k bits, or generating a chal- 10 
lenge C when the norm N(S) is not larger than 
k bits, by computing the message ideal M of the 
public keys, generating a random integer r 
smaller than t bits, computing H = (M/S) r , gen- 
erating a random ideal B whose norm is smaller 15 
than k-1 bits, and computing the challenge C = 
BH, at a user side; 

(b2) computing a response W by mapping the 
challenge C to the class group CI(D1) and pull- 
ing the mapped challenge C back to the class 20 
group CI(D) and squaring a result of mapping 
and pulling back, using the secret keys (D1 , q), 
at a certificate authority side; and 
(b3) checking whether W = B 2 holds or not, and 
Judging that the signature S is legal when W = 25 
B 2 holds or that the signature S is Illegal other- 
wise, at the user side. 

14. A method for enabling a user to check authenticity 
or an e-commerce/information service provider, 30 
comprising the steps of: 

(a) issuing public keys, secret keys, and a sig- 
nature for the public keys from a certificate au- 
thority to the e-commerce/lnformation service 35 



25 



EP 1 185 025 A1 



19. The method of claim 18, wherein at the step (a) the 
signature is*generated according to an undeniable 
digital signature scheme based on a quadratic field. 

20. The method of claim 19, wherein at the step (a) the 5 
signature are generated by the steps of: 

(a1) generating a public keys (D, P, k, t) and a 
secret keys (D1, q) at the certificate authority, 
by generating two primes p, q (p, q > 4, p = 3 10 
mod 4, Vp/3< q), computing D1 = -p and D = 
D1q 2 , obtaining a bit length k of V|D1|/4 and a 
bit length t of q-(D1/q) where (D1/q) denotes 
Kronecker symbol, and generating a kernel el- 
ement P of a map from a class group CI(D) to is 
a class group CI(D1); and 
(a2) generating the signature S for the hash val- 
ue of the home page at the certificate authority, 
by embedding the hash value of the home page 
into a message ideal M in the class group CI(D) 20 
where a norm of the message ideal M is larger 
than k+1 bits, and mapping the message ideal 
M to the class group CI(D1) and pulling the 
mapped message ideal M back to the class 
group CI(D). 25 

21 . The method of claim 20, wherein at the step (c) the 
signature is verified by the steps of: 

(d) checking whether a norm N(S) of the sig- 30 
nature S is smaller than k bits or not, and judg- 
ing that the signature S is illegal when the norm 
N(S) is larger than k bits, or generating a chal- 
lenge C when the norm N(S) is not larger than 
k bits, by computing the message ideal M of the 35 
public keys, generating a random integer r 
smaller than t bits, computing H = (M/S) r , gen- 
erating a random ideal B whose norm is smaller 
than k-1 bits, and computing the challenge C = 
BH, at the user side; 40 
(c2) computing a response W by mapping the 
challenge C to the class group CI(D1 ) and pull- 
ing the mapped challenge C back to the class 
group CI(D) and squaring a result of mapping 
and pulling back, using the secret keys (D1 , q), 45 
at a certificate authority side; and 
(c3) checking whether W = B 2 holds or not, and 
judging that the signature S is legal when W = 
B 2 holds or that the signature S is illegal other- 
wise, at the user side. so 
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